openssh unix dev - Oct 2003 - question on assorted patches

*This message was transferred with a trial version of CommuniGate(tm) Pro*
I'm trying to put togther a starting list of patches required to get 
3.7.1p2 working in our enviroment.  I'm pretty sure I need the following 
at minimum but would like guidance about a couple of them and direction 
on a couple unanswered questions.  I've spent most of the morning 
trolling the archives, but I feel that I've still got gaps in my 
understanding.  I would greatly appreciate additional clarification.

My questions are linked as footnotes with numbers in brackets

Our environment:
- Solaris (2.6, 8) with:
     PAM  [1]
     password forced change (both for new accounts and inactivity)  [2]
     BSM for some hosts [3]
     Some sparcv9 (64-bit)  [4]
- HP-UX (mostly 11.x)
    PAM
    both trusted and untrusted [5]
    password forces change like Solaris [6]
- We're also working on some Linux, but its probably too early to worry 
about it now

So here are my questions/observations:
 - [1]  Should work fine w/ --use-pam & UsePam=yes except for [2]
 - [2]  I found a patch from  Darren, but according to a later post it 
doesn't apply against stock 3.7.1p2.  Does anyone have a version that 
does?  Use of -current disturbs me since I'm trying to write up a 
standards doc that will be norative until a new vulnerability arises or 
enough other changes take place to warrent upgrade on several hundred 
servers.
 - [3]  We are currently using 3.4p1 with the BSM patch along with 
UseLogin=yes for hosts that are BSM enabled.  According to one email 
with no reply, that patch is MIA for 3.7.1p2.  Does anyone have a 
replacement?
 - [4]  I found a patch for this that I plan on using.  No worries here.
 - [5/6]  I've found disturbing comments about issues with trusted.  Are 
there any good or trial patches to resolve this?  Can anyone fully 
elaborate what the limitations are?
 - General concerns:  I understand we'll want to use 
keyboard-interactive & publickey for our only auth types.  Is this 
correct?  Anyone have really strong recommendations on openssl/zlib 
versions?

Thanks all for a great product,
--Jason

The Alchemist wrote:
> I'm trying to put togther a starting list of patches required to get
> 3.7.1p2 working in our enviroment.  I'm pretty sure I need the
following
> at minimum but would like guidance about a couple of them and direction
> on a couple unanswered questions.  I've spent most of the morning
> trolling the archives, but I feel that I've still got gaps in my
> understanding.  I would greatly appreciate additional clarification.
> 
> My questions are linked as footnotes with numbers in brackets
> 
> Our environment:
> - Solaris (2.6, 8) with:
>      PAM  [1]
>      password forced change (both for new accounts and inactivity)  [2]
http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-pwexp24.patch

The only issue is currently you won't get warnings (eg "your password
will
expire in x days") but the expiry should work OK.
>      BSM for some hosts [3]
http://bugzilla.mindrot.org/show_bug.cgi?id=125
>      Some sparcv9 (64-bit)  [4]
> - HP-UX (mostly 11.x)
>     PAM
>     both trusted and untrusted [5]
http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch
>     password forces change like Solaris [6]
Same expiry patch as Solaris above.
> - We're also working on some Linux, but its probably too early to worry
> about it now
> 
> So here are my questions/observations:
>  - [1]  Should work fine w/ --use-pam & UsePam=yes except for [2]
>  - [2]  I found a patch from  Darren, but according to a later post it
> doesn't apply against stock 3.7.1p2.
There's an updated patch now, link see above.
.
>  - [5/6]  I've found disturbing comments about issues with trusted. 
Are
> there any good or trial patches to resolve this?  Can anyone fully
> elaborate what the limitations are?
a) sshd didn't correctly handle password authentication for Trusted
systems.  We changed it so HP-UX used the normal shadow interface, which
caused:
b) sshd thinks the accounts are locked when they're not
c) sshd thinks the passwords expire 1 day after they're changed

Those are fixed in the current development versions and the HP-UX patch
above.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.